‘Heartbleed’ Virus Shakes Up Internet


Heartbleed is the latest security breach to infect the internet, and nationally breaches have been occurring all over the country. However, the average Mercy College student remains uninformed or unconcerned about the threats lurking in their smart phones and laptops. When a group of students were asked if they knew about this problem, 80 percent admitted they were unaware and had not heard about it.

“I have no idea what heartbleed is. I haven’t heard about it,” said Vanessa Bigard, senior studying Health Science.

Even with all the media coverage, many don’t know what these breaches mean. Heartbleed is the term given to exploit the vulnerability in a SSL framework. A SSL is a secure sockets layer and is the most standard security for establishing an encrypted link between a web server and browser. Data has to travel between two networks and is protected by encryption. When it reaches its destination, it must be decrypted. Along the trip between encryption and decryption lies the vulnerability named heartbleed.

Heartbleed works by replicating a websites’ security certificate, allowing thieves access to a server’s encrypted data.

For example, imagine a really secure bank vault, where money has to be transferred from outside the bank to inside the bank which is connected by a hallway. The bank than hires a guard to patrol the hallway and gives him two keys, one for the vault and one for the bank. The guard must unlock and relock both doors. Heartbleed makes a copy of the keys, wears the guard’s uniform and walks right into the vault.

No questions asked.

The reason heartbleed is such a concern is that virtually every website uses some form of it and each website’s “vault” is now breached. When a website’s encrypted data is breached, that means credit card information, passwords, addresses and any other form data users are asked to fill out are now in the hands of anyone with the knowledge of how to exploit this breach.

The consensus among experts is the same as far as steps to protect yourself from any of these breaches, change your passwords, check your bank account for suspicious activity, and try to delete old accounts that are no longer of use.

The most cunning thieves are the kind that you can’t see.

The breach has affected many of our generation’s favorite social media sites such as Facebook and Instragram. Alarmingly, 90 percent of students surveyed said they were not concerned enough about these breaches to change their password.

“Changing my password is such a headache and I can barely remember the ones I have now, besides I don’t think there is anything of use on my Facebook or Instragram. If they really want my passwords for those sites they can have them,” said Bigard.

Christopher Frenz, professor of cybersecuirty at Mercy College, clarifies how thieves can use information from Facebook.

“Even if a social networking site does not have credit card information or the like posted to it, it does not mean that there is no useful information that can be gained by attackers, ” said Frenz

One of the most egregious errors a person can make while using the internet is to have the same password for multiple accounts. According to Frenz, when a site like Facebook’s password has been compromised, than it is possible that that password could be the same password for someone’s email account.

“Now given that email accounts are a common method of password recovery, whereby a business will send a password reset link to a user’s email account, control of someone’s email account provides a possible mechanism for accessing bank accounts or other accounts that the user may possess.”

It is important to note heartbleed is a very sophisticated way of stealing information and the gaps in the SSL framework have been fixed for the most part. However, passwords that have been compromised cannot be saved; therefore, they must be changed to eliminate the threat.

Frenz recommends opting for two step authentication for important accounts. Two step authentications typically uses passwords and sends you a message via text or phone with a secondary code to verify a consumer’s identity. This extra step can end up saving one a lot of hassle in the long run.

Contrary to what students may think, even if a person doesn’t have credit, one may be the target of someone opening up a line of credit in someone else’s name because credit card companies are more lenient towards students looking to get their first credit card.

The stereotypical image of a cyber criminal is a picture of some guy in a basement. He’s clacking away at his keyboard, the room illuminated only by a black screen covered in confusing coded computer language.That, however, is just a stereotype. A cyber criminal can be anyone, even someone well dressed with a laptop, sitting next to you in a coffee shop.

Cyber thieves often use many different techniques that will eventually lead them to what information they need. They use a puzzle method, searching for easily found bits of information to put together. Information like birthdays, and your mother’s maiden name, can be easily found on Facebook along with other common password terms, such as your pet’s name.

Professor Frenz demonstrated how easily attackers can use seemingly innocuous information to uncover more information. Basic information provided when a website registers a domain name can be used to illustrate a social engineering attack.

Frenz also points out that cyber criminals don’t always stay behind the computer and typically use the information gathered to con the information they need out of someone.

“Information easily found on the Mercy College website could be enough to impersonate a staff member,” said Frenz.

He went on to explain how cyber thieves try to build a rapport with people by calling and impersonating someone else using names of employees who work at the same company. A cyber criminal will provide some real information to make the person feel comfortable and build trust. By the end of the phone call, that trust can be exploited as described by Frenz in an example of what a cyber criminal might say.

“As part of our organization security initiative, we are trying to establish that all employees have a secure password. Can you please provide me your password so that I can see if it meets the college’s complexity requirements….” Wait for response…“Thanks for your time,” described Frenz.

It can happen just that easily, and one might assume they would never fall for such an underhanded trick. The trouble is the criminal will just keep trying until someone does fall for it. The best thing to do if this happens to you is to report it immediately and stay educated on new tactics. Websites that offer online shopping should especially have passwords changed often and storing credit card numbers on those sites is not recommended.
Although many students were not concerned, 90 percent admitted they were frequent online shoppers; however, the problem does not only affect online shoppers, since many brick and mortar stores also become victims to devastating security breaches.

“I don’t shop online a lot, but I don’t think people take this as seriously as they need to. I always keep my passwords random and that actually helps me remember them,” said Jenny Rodriquez, a sophomore studying biology.

Target, Lord & Taylor, and Michael’s have all reported security breaches that compromised their customers private information such as bank account information and email addresses.

“It’s as if you’re not safe anywhere. You have to use cash wherever you go. I only use my bank cards for things I really need. I refuse to even buy something as simple as music with my debit card,” said Bigard.

Although one may feel unsafe, professor Frenz offers some ways to better equip students against these attacks and the main point he makes is that educating yourself is key.

“In terms of protecting yourself from social engineering attack vectors such as this, one of the best things is to be aware that attack likes this are actually used, and hopefully reading this serves as a start of that awareness. Knowledge of attacks like this will help people to consider questioning attempts to ask for sensitive information before freely giving it out. “

If one feels that data has been compromised, that person needs to take action immediately, by contacting the proper authorities. It is wise to contact banks and credit card companies to get new cards and account numbers to prevent losing money.

An important step pointed out by Frenz is that students who may have been affected put a freeze on their credit reports to prevent others from being able to open up lines of credit in ones name. There is no getting away from using technology, he warns. Therefore, the best thing to do is to use credit cards responsibly and remain educated enough to protect one’s self from these kinds of threats.